Agenda: tacacs-lab.html

File tacacs-lab.html, 4.5 KB (added by andy, 5 years ago)
2<h1 id="getting-the-tacacs-server-configured"><a href="#getting-the-tacacs-server-configured"><span class="header-section-number">1</span> getting the tacacs+ server configured</a></h1>
3<pre><code>$ sudo apt-get install tacacs+
4$ sudo groupadd -r cisco
5$ sudo vi /etc/tacacs+/tac_plus.conf</code></pre>
6<h2 id="change-the-following-settings"><a href="#change-the-following-settings"><span class="header-section-number">1.1</span> change the following settings</a></h2>
8<li>we want to set the shared key for routers who want to use our service to TacacsPassword</li>
9<li>We also want to limit access for users based on groups. For this example we will use settings in tac_plus.conf</li>
11<h2 id="change-this-line"><a href="#change-this-line"><span class="header-section-number">1.2</span> change this line</a></h2>
12<pre><code>key = TacacsPassword</code></pre>
13<p>In the real world we'd choose a much stronger shared key e.g.</p>
14<pre><code>$ pwgen -s 64  1
16<h2 id="then-at-the-end-of-the-file-....-add"><a href="#then-at-the-end-of-the-file-....-add"><span class="header-section-number">1.3</span> ... then at the end of the file .... add:</a></h2>
18# &quot;level 2&quot; users who cannot &quot;debug&quot; or &quot;config&quot;
20group = l2_tacacs_users {
21    default service = permit
22    login = file /etc/passwd
23    enable = file /etc/passwd
24    service = exec {
25        priv-lvl = 15
26    }
27    cmd = configure {
28        deny &quot;.&quot;
29    }
30    cmd = debug {
31        deny &quot;.&quot;
32    }
35# &quot;level 2&quot; users with full privileges
37group = netops {
38    default service = permit
39    login = file /etc/passwd
40    enable = file /etc/passwd
41    service = exec {
42        priv-lvl = 15
43    }
46# group member with entry in password fileapt-
48user = sysadm {
49    member = netops
52# group member not in password file
53# use tac_pwd command to encode password
55user = rancid {
56    member = netops
57    login = des GAxtUcNh5DBFQ
59<h3 id="check-tacacs_plus-config"><a href="#check-tacacs_plus-config"><span class="header-section-number">1.3.1</span> check tacacs_plus config</a></h3>
60<pre><code>$ sudo service tacacs_plus check</code></pre>
61<p>You should see a response like:</p>
62<pre><code> * Checking TACACS+ authentication daemon configuration files successful tacacs+</code></pre>
63<h3 id="restart-tacacs_plus-to-pick-up-the-new-settings"><a href="#restart-tacacs_plus-to-pick-up-the-new-settings"><span class="header-section-number">1.3.2</span> restart tacacs_plus to pick up the new settings</a></h3>
64<pre><code>$ sudo service tacacs_plus restart</code></pre>
65<h1 id="getting-a-cisco-device-to-talk-to-your-tacacs"><a href="#getting-a-cisco-device-to-talk-to-your-tacacs"><span class="header-section-number">2</span> getting a cisco device to talk to your tacacs</a></h1>
66<p>Enter configuration mode:</p>
67<pre><code>tacacs-server host
68tacacs-server key TacacsPassword</code></pre>
69<p>(Later versions of IOS (15...)have an alternative mechanism for defining these parameters but this can be used on all systems for now.)</p>
70<p>Check that you can reach the tacacs server and authenticate correctly:</p>
71<pre><code>test aaa group tacacs+ sysadm &lt;password&gt; port 49 legacy</code></pre>
72<p>You should see a response like:</p>
73<pre><code>Attempting authentication test to server-group tacacs+ using tacacs+
74User was successfully authenticated.</code></pre>
75<h2 id="now-you-can-finish-configuring-the-router-to-use-tacacs-for-login-control"><a href="#now-you-can-finish-configuring-the-router-to-use-tacacs-for-login-control"><span class="header-section-number">2.1</span> Now you can finish configuring the router to use tacacs for login control:</a></h2>
76<pre><code>aaa new-model
78aaa authentication login default group tacacs+ enable
79aaa authentication login NSRCCONSOLE local-case
80aaa authentication enable default group tacacs+ enable
81aaa authorization exec default group tacacs+ none
82aaa accounting delay-start
83aaa accounting exec default start-stop group tacacs+
84aaa accounting commands 15 default start-stop group tacacs+
86! This lets us login via the console even if tacacs isn&#39;t working
87username NSRCCONSOLE password 0 tpyPo9dT
88line con 0
89 exec-timeout 15 0
90 login authentication NSRCCONSOLE</code></pre>
91<h2 id="now-you-can-verify-accounting"><a href="#now-you-can-verify-accounting"><span class="header-section-number">2.2</span> Now you can verify accounting</a></h2>
92<pre><code>Router#show aaa sessions
93Router#show aaa users all</code></pre>